What is CVE-2026-29786?

CVE-2026-29786 is a vulnerability in Isaacs Node-tar, classified under Path Traversal. Published 2026-03-07.

Is CVE-2026-29786 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Isaacs Node-tar

CVE-2026-29786

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables fil…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (0.9th percentile) — read the EPSS interpretation.

Affected products

Isaacs Node-tar — versions < 7.5.10

Weakness classification (CWE)

Public proof-of-concept exploits

References

https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96 (x_refsource_CONFIRM)
https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-29786?: CVE-2026-29786 is a vulnerability in Isaacs Node-tar, classified under Path Traversal. Published 2026-03-07.
Is CVE-2026-29786 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.